Justice versus legality – the case of Daniel Cuthbert

This is the un-edited version of an article sent in by Diana Quaver, which we published earlier in a reduced form. Diana has been closely following this story, which should be of great interest to the on-line community:

I have recently followed the trial of Daniel Cuthbert. This was the gentleman who was accused of “hacking” into the website of the Disasters and Emergency Committee. He was recently found “regretfully” found guilty under section 1 (a) of the Computer Misuse Act 1990. He never even lived in Whitechapel. This was the BBC story a few months ago:

Charge over tsunami ‘hacking’ bid

A man has been charged over an alleged attempt to hack into a website set up to raise funds after the Asian tsunami.

Daniel Cuthbert, 28, of Whitechapel, east London, has been charged with one offence under the Computer Misuse Act.

Scotland Yard said the charge followed an alleged unauthorised access of the Disasters and Emergency Committee site on New Year’s Eve.

Mr Cuthbert is due to appear at Horseferry Magistrates’ Court next Thursday.

The disaster fund has raised an estimated £250m to help victims of the tsunami.

Tens of thousands of people used its web pages to offer money to those caught in the Boxing Day tragedy.

Daniel Cuthbert saw the devastating images of the Tsunami disaster and decided to donate £30 via the website that was hastily set up to be able to process payments. He is a computer security consultant, regarded in his field as an expert and respected by colleagues and employers alike. He entered his full personal details (home address, number, name and full card details). He did not receive confirmation of payment or a reference and became concerned as he has had issues with fraud on his card on a previous occasion. He then did a couple of very basic penetration tests. If they resulted in the site being insecure as he suspected, he would have contacted the authorities, as he had nothing to gain from doing this for fun and keeping the fact to himself that he suspected the site to be a phishing site and all this money pledged was going to some South American somewhere in South America.

The first test he used was the (dot dot slash, 3 times) ../../../ sequence. The ../ command is called a Directory Traversal which allows you to move up the hierarchy of a file. The triple sequence amounts to a DTA (Directory Traversal Attack), allows you to move three times. It is not a complete attack as that would require a further command, it was merely a light “knock on the door”. The other test, which constituted an apostrophe( ‘ ) was also used. He was then satisfied that the site was safe as his received no error messages in response to his query, then went about his work duties. There were no warnings or dialogue boxes showing that he had accessed an unauthorised area.

20 days later he was arrested at his place of work and had his house searched. In the first part of his interview, he did not readily acknowledge his actions, but in the second half of the interview, he did. He was a little distraught and confused upon arrest, as anyone would be in that situation and did not ask for a solicitor, as he maintained he did nothing wrong. His tests were done in a 2 minute timeframe, then forgotten about.

He was prosecuted under the Computer Misuse Act 1990, which was signed in 1989 when perms were just going out of fashion and mobile phones were like bricks and cost £1000 and we were still using green type on a black background. The word “ Computer” was not even defined as they realised that this area was moving at light speed so they wanted to keep it open. Sadly, it has become open to willy-nilly interpretation and the magistrate decided there was intention to access data as stated in section 1(a), although I may be biased, it is an incorrect interpretation.

Cuthbert was prosecuted under the Computer Misuse Act 1990, and convicted under Section 1 (a) of this Act. The relevant section of the Act is:

a. he causes a computer to perform any function with intent to secure access to any program or data held in any computer;

b. the access he intends to secure is unauthorised; and

c. he knows at the time when he causes the computer to perform the function that that is the case.

As an expert, if he had true intent (as the judge deemed he did, which is an incorrect analysis) he would have been more than capable of “hacking” and gunning that door down with a digital version of a point-blank range AK47, but he did not. He maybe should not have done the tests that are beyond the knowledge of a regular user and a caution would have sufficed, there was no need for a trial and certainly not 10 months of waiting time. The policeman was smug as he got his browny points and the CPS prosecutor was what one can expect of a CPS prosecutor, patronising, pedantic and uninteresting but sadly successful.

The ../ sequence triggered of the alarm which was set up as “high” for this sort of “attack” at the donate.bt.com website that was set up by the DEC website. This alerted someone that there was something potentially suspicious, this was then passed up to someone who reported it to the police. They found their suspect through the IP address and were able to trace it to his laptop. Well, the Computer Crime Unit (known in the industry as “Muppets”) were very happy they got their man.

Mr Cuthbert was convicted under S. 1 (a) of the Computer Misuse Act 1990. It will be almost impossible for him to work in IT, the security industry being totally based on trust and reputation, as they are all freelancers and rely on contacts. That simply is not right. Justice is not always synonymous with legality.

When someone tells you, “whatever you do, do not press the red button” and you are almost compelled, in just that way, I am feverishly tempted to type in the ../../../ sequence in the Ministry of Defence website, and see what happens. Maybe not.

32 comments to Justice versus legality – the case of Daniel Cuthbert

What can an individual do to prevent authorities from knowing the IP he is accessing the Internet from, and the data he is sending and receiving? In other words, what can be done to be anonymous and encrypt information from one private person to another?

I don’t expect perfect security, however even a short period of time to track individuals and decrypt information creates a significant barrier when it is multiplied by a large number of users.

I use an onion-routing program called Tor. I am ignorant of how useful it is, especially how well it would provide protection against a government, and I am ignorant of other things I might do to enhance my security. Still, it’s nice to see Google consistently mistakenly ping me as being from various foreign countries.

“What can an individual do to prevent authorities from knowing the IP he is accessing the Internet from, and the data he is sending and receiving? In other words, what can be done to be anonymous and encrypt information from one private person to another?”

In this instance nothing: you have to give the site an IP Address if it is to return any data to you. It would appear that it was the administrator of this site that snitched this chap to the Police: the “authorities” would not have known his IP address without the collusion of the site owner/administrator.

Yanno, I’m thinking, with the sums of money involved, this case does have some legitimacy. Okay, he didn’t mean anything, but still. A cop catching you with a bunch of lockpicks at the back door of a bank isn’t going to listen to “I was just testing my cash is secure”. This guy’s hack attempt is a fact – his motivation is hearsay. A real hacker would make similar excuses. The law can’t afford to let people off because they “didn’t really mean anything by it”.

The interesting things, I think, from this case are the complete failure to establish either:

Firstly; intent (being based, in this case, entirely on opinion rather than fact).

Secondly; a definition of what is, or is not, unauthorised in the context of an unauthenticated public access web site (in this case it was accepted that the site provides no clear definition prior to accepting a donation, nor indeed provides an error message when an operation fails). It seems that you do not have to make a visitor aware of what you authorise them to do, nor exclude, when you provide a public access service.

The result being that if you enter a URL into a browser, and for whatever reason the owner of the site in retrospect decides that your actions were “unauthorised” then you could potentially face charges identical to Daniel.

Julian Morrison writes: “I’m thinking, with the sums of money involved, this case does have some legitimacy. Okay, he didn’t mean anything, but still. A cop catching you with a bunch of lockpicks at the back door of a bank isn’t going to listen to “I was just testing my cash is secure”.”

I don’t know much about computers, but going from the description of the facts given in the main post Mr Morrison’s analogy is too strong. A better analogy would be that Mr Cuthbert was found poking or tugging at the fascia of a cash machine, having become suspicious that it was an overlay put there by criminals.

Mr Cuthbert didn’t help his case by altering his story to the police. In the linked report the judge stated he regretted having to find him guilty but that Cuthbert was “deliberately trying to throw the police off the trail”, by saying one thing and then another.

That the judge accepted Mr Cuthbert meant no harm by his actions may explain why he was fined but not imprisoned.

I wonder did the admin on the DEC webserver report everyone one of these probes to the Police ? I admin 5 small scale webservers and looking at the logs see 100’s of this type of thing every month. If I reported every one I don’t think my local Police would be to pleased.

Following 1327, I too receive such attacks against my company website on a frequent basis. I also receive, typically daily, email phishing attacks and Nigerian 419 scam attempts.

Currently, I ignore these, or occasionally (for frequent attacks from the same place) report them to my ISP.

This case makes me wonder whether my public duty would be better done by reporting each one of these crimes. Even if the police do not have the resources to investigate them, or view such investigation as unlikely to be fruitful, perhaps there should be proper recording of such crimes for the benefit of improved reliability in the statistics.

1. is the lowest level of offence. It includes, for example, finding or guessing someone’s password, then using that to get into a computer system and have a look at the data it contains. This is an offence even if no damage is done, and no files deleted or changed. The very act of accessing materials without authorisation is illegal and punishable by 6 months jail or a £5000 fine.

2. builds on the previous offence. The key here is the addition of ‘intent to commit…further offences’. It therefore includes guessing or stealing a password, and using that to access, say another person’s on-line bank account and transferring their money to another account. For this offence the penalty is up to five years’ imprisonment and/or a fine.

3. “can” include deleting files, changing the desktop set-up orintroducing viruses with the intent to impair the operation of a computer, or access to programs and data. The word ‘intent’means it has to be done deliberately, rather than someone deleting files by mistake. This also includes using a centre’s computer to damage other computers outside the centre, even though the computer used to do this isitself not modified in any way.

Personally I think he was fully entitled to check that the system he was paying via was secure. Unfortunately the law takes a different opinion, especially where the private bureaucratic monstrosity that is BT is concerned …

In my opinion the Judge has got this completely wrong. If we look at the evidence from the trial together with the act itself, my opinion is:

Section (1) of the Act states:
(1) A person is guilty of an offence if –

a. he causes a computer to perform any function with intent to secure access to any program or data held in any computer;

The evidence suggested that Daniel did indeed intend to secure access to any program or data held in any computer. We are all guilty of this one when we access any public site!

b. the access he intends to secure is unauthorised; and

The access that Daniel intended to secure was not an unauthorised one! Daniel intended to receive an error page that would go someway to indicate that the web site was secure.

c. he knows at the time when he causes the computer to perform the function that that is the case.

Daniel new at the time that entering the commands that he did that this would either give him access to an authorised error page on a legitimate site or it would not. And if it did not it could indicate that the site was insecure and therefore could potential be illegal.

If you think about it, If you had just posted all your personally detail and your credit card details to a site what would you hope to get back? or to put it another way, what would you intend to secure access to when carry out the directory traversal? An authorised error page or a directory listing from a Korean University?

To me it is clear, Daniels intent had to be “to gain access to an authorised error page”. To be prosecuted under section 1 of the CMA the intent has to be to gain access to an area that is unauthorised. Therefore, in my opinion the verdict of the Judge has to be incorrect.

When is the last time you heard of a hacker intentionally leaving detailed personal information immediately prior to an attack?

When is the last time you saw an attack profile that matched this one… two simple commands and no further action? (from a traceable source).

The bottom line is we have a judge who recognised Daniel’s good character, excellent reputation and clean record. He also acknowledged the unsuitability of the CMA which was written before we had the Internet in any useful form. As the judge pointed out on more than one occasion, the CMA was written in very general terms as they simply did not know what direction the technology it was written to protect would take. One example of this mentioned in the case was the failure to even define the term ‘computer’. Anything written in this way must be open to interpretation.

Despite this being accepted by the judge, he did took the easy way out. Rather than acknowledging the short-comings of the CMA and making a decision based on the facts and common sense, he bowed to corporate and police pressure and ruined the career of a talented individual.

Well, I’m as suspicious of The Proper Authorities as the next man (and more so than most), but I dunno about this.

If you think your house has been burgled, do you:

a.) inform Plod, or
b.) start sleuthing after the criminals yourself?

This hapless idiot seems to have been infected by the Common Geek Virus: if you CAN do something, you SHOULD.

On the other hand, the judge, seeing that the guy was guilty of stupidity, should rather have let him off with a fine (say, thirty quid). That this well-intentioned but dim guy should be treated in the same way as Harry The Hacker seems like judicial overkill.

“This hapless idiot seems to have been infected by the Common Geek Virus: if you CAN do something, you SHOULD.”

…but he didn’t actually do anything to compromise any computer system.

“This guy’s hack attempt is a fact – his motivation is hearsay. A real hacker would make similar excuses. The law can’t afford to let people off because they “didn’t really mean anything by it”.”

Let me make this very clear. Directory traversal like that with no commands as followup isn’t going to do anything at all to compromise a computer system.

It cannot yield anything at all. So, in fact, this is not a crack attempt, but *COULD* be seen as someone as a sign of further intent (if they were very stupid, the man posted his OWN credit card details immediately prior to typing the URL in his browser). Almost precisely the opposite of what you said.

That particular malformed URL is not a crack attempt, but something respectable people anywhere might idly do, suspecting a fake site, or something they might even do by accident.

Roundly stating that this is factually a definite crack attempt, is exactly the sort of specious, ill-informed nonsense that led to the CMA in the first place.

Like the CMA, it looks nice and authoritative to people who don’t know what they’re talking about, but makes a criminal of innocent members of the general public because it’s vague, stupid, and misinformed.

To computer-savvy people, never mind analogies about ATM machines or Banks, this really is the equivalent of being arrested for eating cornflakes in the morning before you go to work.

I’d like to say I have never seen anything so ridiculous in my life as this court case. However, I’ve been reading about British courts for years now.

We all await the legislation against glorifying “hacking” with interest.

You can tell Daniel was not a criminal, he would have known the police in the UK have absolutely no interest in guilt or innocence they really only care about conviction & the more serious conviction they can muster the better. Not one single policeman or woman would ever report that a person was innocent if they knew it to be the case, unless they have someone else lined up to take the blame. It’s all about they’re conviction rate figures, there is no justice in this country, which is why I laughed my head off about PC Blakelock, we live in a police state by default & every pig that is killed deserves champagne corks popping in celebration – Harry Roberts a true hero.

Just to point out it wasn’t the admins of the DEC webservers that reported him, it was rather BT’s IDS (Intrusion Detection System) which was set to pick up certain patterns which could be attacks.

IIRC he was also using Lynx (a text based web browser) on Solaris (a UNIX derivant), which I believe added to the IDS tagging him as an attacker (I should point out that is from my /bad/ memory).

However the idea of arresting the guy is quite absurd – his cat walking aimlessly over the keyboard looking for attention could have done this. But there are better ways to go about checking the validity of a website – a whois for starters.

Why did the Police and the Criminal Prosecution Service proceed with this case, when there are literally thousands of “computer crimes” happening every day which are far more serious ?

Perhaps we should , say over a period of a month, actually formally complain to the Police about each and every email virus attachment and 419 phising scam, illegal pharmaceticals or porn or gambling offers etc that we get, and, optionally every suspicious alert from our firewalls and other security systems.

Thjis could easily be hundreds or thousands of “Computer Misuse Act” crimes, per person, per day.

This would show just how under reported actual computer crimes are, and might lead to the badly needed reform of the archaic , pre-internet era Computer Misuse Act.

It would also completly ruin the cosy deal between the Treasury and the Home Office, whereby David Blunkett got a couple of billion pounds extra to spend out of Gordon Brown, on condition that recorded crime fell by 15% over the next couple of years.

Proper recording of internet related crime would ruin any chance of those figures being achieved, except through spin and trickery.

Agreed with many of the other commenters — this is a travesty of justice.
Personally, I’ve been waiting to comment until more details were revealed on
what actions he took exactly, and now, here they are — and they boil down to
two simple URL checks.

His actions were entirely understandable, IMO. They were not hostile
activities in themselves — they might have been the *prelude* to hostility,
in other cases, but not in this one.

Instead of making parallels with “rattling the doorknob” or “lurking around the
back door of a bank”, a better parallel would be looking through the bank’s
front window, from the street!

If only law enforcement took this degree of interest in genuine phishing cases,
where innocent parties find their bank accounts emptied by *real* criminals,
like the unprosected phisher in Quebec discussed in this USA Today article.

When I am sent to a directory page for downloading (legitimate) files via FTP, while using the Web, I often cannot find what was said to be there, and I will then see if it might be in the directory above (..). I suppose this would be seen as illegal at least under the UK law being discussed; I don’t know about the U. S., where I live.

This is a troubling case and it’s apparent to me that the man did nothing at all wrong. The law needs revising, and his sentence needs overturning.

I would hope, though, that in any event his career will still be safe, as any potential employer worth working for should recognize the stupidity of this affair and be appareciative of this individual’s suspicions about the site. I would be suspicious, too, if I received no acknowledgment for a payment!

Bet that’s the last time Daniel Cuthbert, and indeed many others consider making a charitable donation over the web. Many thanks for the “heads up” that BT are in fact police and government stoolies. That won’t do business any good; nobody loves a stoolie. You do start to wonder whether the police are a necessary evil or just the enforcement branch of the government’s repression apparatus. For them there is no notion of innocence, only people that haven’t yet been convicted. How can you expect anything resembling a fair trial when judges and lawyers just don’t have a clue about anything technical, particularly computer related. The government’s overall plan is to keep the population cowed by turning law-abiding citizens into convicted criminals, thus to discourage all forms of protest, including anti-government blogging. Police watchword: When you can’t catch the criminals, make criminals out of those you can catch. A criminal record can definitely disrupt your emigration plans, so join those free-thinking risk takers that have left Police State UK. But don’t leave a forwarding address, or register with the Embassy when you arrive.

I suggest that we all hit all the UK govenement web site we can find with the command: http:///www.domainname.ext../../../ in protest. This should teach a lesson to these stupid cops and magistrats (magistraly stupid!) that know nothing about computers the internet or simply life.

The judge that took this decision should be tarred and feathered as well as the Scotland yard piece of craps.

I am so sick and tired of these corrupted and incompetent parasitic bureaucrates bringing down our societies! I hope that one day the rope will break on them!

Who Are We?

The Samizdata people are a bunch of sinister and heavily armed globalist illuminati who seek to infect the entire world with the values of personal liberty and several property. Amongst our many crimes is a sense of humour and the intermittent use of British spelling.